11/10/2003Pki4ipsec-nov03-agenda BOF Profiling Use of PKI in IPsec pki4ipsec Chairs: Gregory M...

11/10/2003 Pki4ipsec-nov03-agenda

BOFProfiling Use of PKI in IPsec

pki4ipsec

Chairs:

Gregory M Lebovitz ([email protected])

Steve Hanna ([email protected])

mailto:[email protected]


Agenda

• Agenda Bashing - 5 min

• Summary of Effort - 5 min

• Needs Assessment, Steve Hanna – 5 min,

• Architecture - 15 min

• Review Existing Docs/Text - 45 min

• Charter Bashing - 45 min

• Next Steps - 10 min


Architecture

• Presentation

http://www.projectdploy.com/draft-dploy-requirements-00.pdf

• Review and discussion




Current Profile Text/Thought

• draft-ietf-ipsec-pki-profile-03.txt – Korver

• Dploy draft – Gregory Lebovitz


• Certificate Handling Profiles – P. Hoffman

http://www.vpnc.org/ipsec-pki-profile.pdf

• Clarifying questions on Current Text








Scope

• IPsec Scenarios: s2s VPN and Secure Remote Access VPN

• CMC as the certificate lifecycle management protocol


Proposed Charter Items

1. Requirement Document

2. Profile Documents1. Certificate Format & Contents

2. Certificate Usage and IPsec Payloads (IKEv1, IKEv2)

3. Certificate Request/Retrieval by IPsec Peer

4. Certificate Lifecycle Management (renewal, revocation, validation

3. Implementation and Interoperability report


Timeline

• 1 year


Next Steps


BACKUP SLIDES FOLLOW


Open Issues

1. IKEv1 and IKEv2? in one doc or two docs?

2. V1 - Need a way to determine which of potentially many certs is end entity cert. Could send EECert as first one?

3. V1 Should ID_ipv4/v6_addr, ID_FQDN, ID_USER_FQDN all be MUSTs? Right now only _ADDR is MUST. Is that enough for broad interop?


Need ID for…

1. How to find EE cert2. To lookup policy for IKE3. Authentication – understand who the sender

claims to be, and use to verify they are who says they are

4. Authorization - To determine IPsec Access Control and treatment

5. Logging / Auditing – something meaningful to the network/device operations teams

Anything else missing?


Places to Find ID Elements

• IKE ID Payload

• Cert – SubjectAltName types

• Cert – DN fields/types– Any one, or combo


IKEv1 Checking Options

1. Fill in IKE ID payload /w something in Cert SubjectAltName and check that the two match

2. Just present Cert, and let receiving peer’s local policy determine what they extract and use as ID

3. Fill in ID w/ something to match IKE SPD entry on receiving peer, then use some SubjectAltName field (as defined by local policy) to do ACL lookup and IPsec SA setup


IKEv1 and IKEv2

• IKEv1 – we will spend most of our time profiling for IKEv1. We will prioritize this.

• IKEv2


Revocation

• Philosophy question: – Do we profile use of PKI for authorization


Contentious Issues to Decide Issue

• Revocation Method and Impact on Cert contents and IKE payloads

• Identity and its correlation to Authentication and Authorization

• Do Request and Retrieval Impact the format and payloads document? Or orthogonal.

11/10/2003Pki4ipsec-nov03-agenda BOF Profiling Use of PKI in IPsec pki4ipsec Chairs: Gregory M...

Documents

Transcript of 11/10/2003Pki4ipsec-nov03-agenda BOF Profiling Use of PKI in IPsec pki4ipsec Chairs: Gregory M...